Friday, March 6, 2015

Critical Windows Processes - System

This
"System" is one of the critical processes to be aware of
on Windows systems. Many times, malicious processes will have the same
or similar names as legitimate processes, so it's important that we are
able to differentiate between what's legit and what's not legit.

- Uses PID 4- Similarly to "System Idle Process" this is not actually a true process as it is not tied to any user mode application, i.e. there is no "System.exe"

- Runs only in Kernel mode

Why
does this matter? Still Easy! If you see any process on your system running
as "System" which is pointed to a specific executable, that
should be a clear sign that your system is more than likely infected
with malware or is being used for some other malicious activity.

Below is a list of threat intelligence websites that you can use. Cymon.io is an excellent one as it searches around 200 different sources. If you’re looking for a more exhaustive list of threat intel sites, check out https://github.com/rshipp/awesome-malware-analysis